Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
14
Helpful
11
Replies

ASA 5512x Failover with 5512x with firepower

h.infotronique1
Level 1
Level 1

‎08-27-2017 04:51 AM - edited ‎02-21-2020 06:14 AM

I have ASA 5512x Base licence with Firepower i want to make upgrade of his licence and purchase a second ASA 5512x  SEc-Plus without Firpeower to make a failover is that possible and how i configure it?

thank you.

 

Labels:
0 Helpful
11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-27-2017 07:35 AM - edited ‎08-27-2017 07:36 AM

Both base units must have the Security Plus license to establish HA.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-license.html#concept_60A6CB359C7E427B9D0F46733E2DC4D3

 

Regarding the Firepower service software module - are you using it currently? If you aren't then I recommend just uninstalling it. If you are, then disable module status checking: 

no monitor-interface service-module

 (requires ASA 9.3(1) or later).

h.infotronique1
Level 1
Level 1
In response to Marvin Rhoads

‎08-28-2017 02:20 AM

Hello, 

thank you for your response than i shall have another ASA 5512x with firepower, but should I activate the second Firepower  licence or not?

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to h.infotronique1

‎08-28-2017 05:04 AM

Hi,

Does that means you're using Firepower?. If Yes, you'll need same devices, take a look here: https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01100110.pdf

Thanks

PS: Please don't forget to rate and select as validated answer all helpful answers

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

h.infotronique1
Level 1
Level 1
In response to Francesco Molino

‎08-28-2017 06:39 AM

Exactly i use firepower but i dont want activatite on the second ASA i want the failover for ASA not Firepower, is that possible ?

thank you.

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to h.infotronique1

‎08-28-2017 11:28 AM

Hi 

 

You won't be able to build up the failover as the hardware should be exactly the same on both appliances. 

That's why Marvin said to uninstall or disable sfr.

 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

h.infotronique1
Level 1
Level 1
In response to Francesco Molino

‎08-29-2017 06:35 AM

Hi,

I know that I bothers you with my questions but I need to be sur before I purchase any thing, so if I buy the same one as that I have than  should I purchase the licence for URL filtring and IPS and AMP ?

thank you very much for your help

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to h.infotronique1

‎08-29-2017 08:51 AM

Hi

 

Normally they should have the same licenses. I highly recommend to just ping your Cisco SE or Partner to confirm.

 

Here Cisco Output for FTD: (https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v601_chapter_01100110.pdf)

 

  1. License Requirements

    Firepower Threat Defense devices in a high availability configuration must have the same licenses. Before high availability is established, it does not matter which licenses are assigned to the secondary/standby device. During high availability configuration, the Firepower Management Center releases any unnecessary licenses assigned to the standby device and replaces them with identical licenses assigned to the primary/active device. For example, if the active device has a Base license and a Threat license, and the standby device has only a Base license, the Firepower Management Center communicates with the Cisco Smart Software Manager to obtain an available Threat license from your account for the standby device. If your Smart Licenses account does not include enough purchased entitlements, your account becomes Out-of-Compliance until you purchase the correct number of licenses. High availability configurations require two Smart License entitlements; one for each device in the pair.

 

 

Thanks

 

PS: Please don't forget to rate and select as validated answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to h.infotronique1

‎08-29-2017 08:55 AM

Francesco's citation was specific to FTD but whether you use ASA with Firepower service module or FTD image type the licenses should match.

We typically build a device group in Firepower Management Center and then you apply the single policy set to both devices at the same time. That is one of the advantages of using FMC vs. inidivually managing the modules via ASDM. Firepower configurations do not autmatically sync like ASA configs do in an HA pair.

Francesco Molino
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎08-29-2017 09:09 AM

Well done Marvin.

I noticed i only spoke about FTD and not firepower 😀

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎08-27-2017 07:46 AM

Sorry I posted something but don't know what happened it's been deleted.
Anyway, Marvin give you all information then I'm not gonna re-write all :-)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

h.infotronique1
Level 1
Level 1
In response to Francesco Molino

‎08-28-2017 02:22 AM

Hi,

Tahnk you Mr  Francesco Molino .

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card